I am getting an error, when I try to add binding to ssl certificate.
Error:
Failed to add SSL binding. The certificate with thumbprint '877EC1DA24CD9D4713FD4107A83AC0EE5A4654E4' is invalid for SSL. The Enhanced Key Usage must be present and must contain Server Authentication (1.3.6.1.5.5.7.3.1).
Below is the method to generate ssl.
Step 1
Create file domain.rs.txt
Step 2
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C=DK
ST=Jutland
L=Haderslev
O=Justlearn ApS
OU=Haderslev
emailAddress=team#justlearn.com
CN = www.justlearn.rs
[ req_ext ]
subjectAltName = #alt_names
[ alt_names ]
DNS.1 = justlearn.rs
DNS.2 = www.justlearn.rs
Step 3
openssl req -new -sha256 -nodes -out domain.rs.csr -newkey rsa:2048 -keyout domain.rs.key -config domain.rs.txt
Step 4
openssl x509 -req -days 365 -in domain.rs.csr -signkey domain.rs.key -out domain.rs.crt
Step 5
openssl pkcs12 -export -in domain.rs.crt -inkey domain.rs.key -out mycert.pfx
Create your Certificate with XCA. then in the key usage tab make sure you select the "TLS Web Server Authentication" options. also check is critical.
enter image description here
After that you need to export your certificate and key.
enter image description here
Then Use OpenSsl to convert the .crt to PFX is case you needed. see command bellow.
pkcs12 -export -out C:\Certificate\BBBakingdecor.pfx -inkey
C:\Certificate\bakingdecor.pem -in C:\Certificate\bakingdecor.crt
Related
I am trying to enable HTTPS on my pure nodeJS server (No express.js). To enable HTTPS I am using Openssl and generating keys and certificates which I can then load into the server file.
###################################
The problem:
###################################
I checked online, and most people were saying that the problem is occurring due to the common name of my CA certificate and Server certificate being the same. I did enter different values for both, and still the error persists.
######################################
Commands used to generate keys and certificates:
######################################
# Generating our private keys
openssl genpkey -algorithm ed25519 -outform pem -out ca_pvt_key.pem
openssl genpkey -algorithm ed25519 -outform pem -out server_pvt_key.pem
# Generating our certificate
openssl req -inform pem -key ca_pvt_key.pem -days 36000 -x509 -config openssl-ca.cnf -nodes -outform pem -out ca_cert.pem
openssl x509 -outform der -in ca_cert.pem -out ca_cert.crt
# Creating SCR (Server Certificate Request)
openssl req -new -config openssl-server.cnf -key server_pvt_key.pem -nodes -outform pem -out server_certificate.csr
# Creating required index.txt and serial.txt files for openssl ca
touch index.txt
echo '01' > serial.txt
# Generating our final signed certificate
openssl ca -config openssl-ca.cnf -notext -policy signing_policy -extensions signing_req -out server_certificate.pem -infiles server_certificate.csr
openssl ca -config openssl-ca.cnf -notext -policy signing_policy -extensions signing_req -out server_certificate.crt -infiles server_certificate.csr
cat server_certificate.pem > cert_chain.pem
cat ca_cert.pem >> cert_chain.pem
##################################
Configuration file snippets for above commands
##################################
CA config file
[ ca_extensions ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer
basicConstraints = critical, CA:true
keyUsage = keyCertSign, cRLSign
Server certificate config file
####################################################################
[ server_req_extensions ]
subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = #alternate_names
nsComment = "OpenSSL Generated Certificate"
####################################################################
[ alternate_names ]
DNS.1 = localhost
# IPv4 localhost
IP.1 = 127.0.0.1
# IPv6 localhost
IP.2 = ::1
#################################
Server File snippet
#################################
const port = 3000;
const options = {
host: "localhost",
port: port,
path: "/",
rejectUnauthorized: false,
requestCert: true,
agent: false,
key: fs.readFileSync(path.join(path.resolve(__dirname, "../../"), "/certs/server_pvt_key.pem")),
cert: fs.readFileSync(path.join(path.resolve(__dirname, "../../"), "/certs/cert_chain.pem")),
};
const server = https.createServer(options, (req, res) => {
// Pure node server
});
##################################
System details
##################################
I am running a podman container having OpenSUSE Tumbleweed. The host system in Ubuntu 22.04LTS.
##################################
Extra details
##################################
I added the ca_cert.crt file to /usr/local/share/ca-certificates on Ubuntu. I also added the server_certificate.crt and server_pvt_key.pem into /etc/ssl/certs and /etc/ssl/private respectively.
##################################
Testssl Output
##################################
##################################
curl
##################################
curl does fetch me my site HTML. However, the moment I am in the browser, I get the cipher error.
##################################
Browser Trust Store
##################################
I am using Brave Browser. When I try to import my ca_cert.pem or ca_cert.crt file into the Authorities tab in Brave, it shows me the following:
Anyone have any idea why this is happening and how I could fix it?
I have generated the SSL using openssl using the following commands. Which have generated the cert and key file but where do I get the ca-bundle file. I need the ca-bundle file to include in nodejs application else it is showing not secure warning.
openssl genrsa -out server-key.pem 1024
openssl req -new -key server-key.pem -out server-csr.pem
openssl x509 -req -in server-csr.pem -signkey server-key.pem -out server-cert.pem
my server's code
const options = {
key: fs.readFileSync("path-to-key"),
cert: fs.readFileSync("path-to-crt"),
ca: [fs.readFileSync("path-to-ca-bundle"), fs.readFileSync("path-to-crt")],
requestCert: false,
rejectUnauthorized: false
}
const server = https.createServer(options, app);
brief description what I've done and what I would like to achieve:
I was trying to add certificate to azure key vault via UI:
Got those certificates as ca.crt (openssl req -new -x509 -days 1826 -key ca.key -out ca.crt) and ca.key (openssl genrsa -des3 -out ca.key 2048) but azure key vault requires certificates in .pem or .pfx format
I decided to move cert and key into pem format: key: openssl rsa -in ca.key -text > ca_key.pem
cert: openssl x509 -in ca.crt -out ca.pem then copied ca_key.pem inside ca.pem
I was trying with only cert + key and key extra data (binaries or sth)
I was getting error from UI: The specified PEM X.509 certificate content is in an unexpected format. Please check if certificate is in valid PEM format.
I decided to install azure CLI and pass those in pfx format: openssl pkcs12 -export -out ca.pfx -inkey ca.key -in ca.crt and that works properly I'm able to see created cert in key vault cerfiticates
and there problem begins. I would like to get certificate with azure node library, extract separate key and cert to use them. What I've achieved so far:
const secretClient = new SecretClient(keyVaultUrl, credential);
const certificateSecret = await secretClient.getSecret(certificateName);
const PKCS12Certificate = certificateSecret.value!;
fs.writeFileSync("myCertificate.p12", PKCS12Certificate);
I got file and as documentation says:
https://www.npmjs.com/package/#azure/keyvault-certificates#getting-the-full-information-of-a-certificate
I was trying to execute:
openssl pkcs12 -in myCertificate.p12 -out myCertificate.crt.pem -clcerts -nokeys
to extract ca certificate from p12 but I'm still getting error:
34359836736:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:crypto/asn1/tasn_dec.c:1149:
34359836736:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:309:Type=PKCS12
any ideas what I'm doing wrong ?
i am using the cryptogen 1.4.0 version, its does not create the keystore folder inside the msp. please suggest some solution for this. what i am trying to achieve here is, using the cryptogen tool create the certificate and run the fabric CA server using the offline generated certificate by using docker.
I think it makes more sense to use openssl for that purpose.
Write your suitable csr.cnf (change dn and alt_names values):
[req]
prompt = no
default_md = sha256
distinguished_name = dn
x509_extensions = x509_ext
[dn]
CN = mydomain.com
C = US
ST = New York
L = New York
O = MyOrg
OU = MyDepartment
[x509_ext]
basicConstraints=critical, CA:TRUE, pathlen:2
keyUsage=critical, Certificate Sign, CRL Sign
subjectKeyIdentifier=hash
subjectAltName = #alt_names
[alt_names]
DNS.1 = mydomain.com
IP.1 = 127.0.0.1
And then generate the key and the certificate:
openssl ecparam -genkey -name prime256v1 -noout -out ca-key.pem
openssl req -new -x509 -key ca-key.pem -out ca-cert.pem -days 7300 -config csr.cnf
And then use ca-cert.pem and ca-key.pem in your CA.
Anyway, Fabric-CA itself generates the certificate according to your fabric-ca-server-config.yaml parameters on first run if it does not exist.
The issue
I wrote a minimal server that requires a client certificate, but it always rejects connections with the following authorizationError: DEPTH_ZERO_SELF_SIGNED_CERT. I put the steps I followed below, and they are quite simple, so you should be able to reproduce this in minutes, should you want to "try this at home". This is with Node.js 0.10.24. Am I doing something wrong?
What I did
First, I generated self-signed client and server certs as follows (instructions from the Client Side Certificate Auth in Nginx post), this is an ssl subdirectory.
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
openssl genrsa -des3 -out client.key 1024
openssl req -new -key client.key -out client.csr
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
Then, I run the following program with Node.js (i.e. put it in server.js and run node server.js).
var https = require('https');
var fs = require('fs');
var options = {
key: fs.readFileSync('ssl/server.key'),
cert: fs.readFileSync('ssl/server.crt'),
ca: fs.readFileSync('ssl/ca.crt'),
requestCert: true,
rejectUnauthorized: false
};
https.createServer(options, function (req, res) {
if (req.client.authorized) {
res.writeHead(200, {"Content-Type":"application/json"});
res.end('{"status":"approved"}');
console.log("Approved Client ", req.client.socket.remoteAddress);
} else {
res.writeHead(401, {"Content-Type":"application/json"});
res.end('{"status":"denied"}');
console.log('authorizationError:', req.client.authorizationError);
console.log("Denied Client " , req.client.socket.remoteAddress);
}
}).listen(5678);
Finally, I try to connect with curl:
curl -v -s -k --key ssl/client.key --cert ssl/client.crt https://localhost:5678
This is where it fails with an authorizationError: DEPTH_ZERO_SELF_SIGNED_CERT. I've read folks are having more luck setting process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0"; rather than using rejectUnauthorized: false, but that doesn't seem to make a difference in my case.